U.S. E-Authentication Interoperability Lab Engineer

Similar documents
Interagency Advisory Board Meeting Agenda, August 25, 2009

Leveraging HSPD-12 to Meet E-authentication E

Security and Certificates

Interagency Advisory Board HSPD-12 Insights: Past, Present and Future. Carol Bales Office of Management and Budget December 2, 2008

Who s Protecting Your Keys? August 2018

Next Generation Physical Access Control Systems A Smart Card Alliance Educational Institute Workshop

Dissecting NIST Digital Identity Guidelines

Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

SAML-Based SSO Solution

Network Security Essentials

Security+ SY0-501 Study Guide Table of Contents

Overview. SSL Cryptography Overview CHAPTER 1

ISA 767, Secure Electronic Commerce Xinwen Zhang, George Mason University

Identity Provider for SAP Single Sign-On and SAP Identity Management

Public Key Infrastructure PKI. National Digital Certification Center Information Technology Authority Sultanate of Oman

Unified Contact Center Enterprise (UCCE) Single Sign On (SSO) Certificates and Configuration

SAML-Based SSO Solution

Scan Report Executive Summary

Extending Services with Federated Identity Management

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD)

Identity management. Tuomas Aura T Information security technology. Aalto University, autumn 2011

Digital Identity Guidelines aka NIST SP March 1, 2017 Ken Klingenstein, Internet2

Operated by Los Alamos National Security, LLC for the U.S. Department of Energy's NNSA

CA SiteMinder Federation

Kerberos for the Web Current State and Leverage Points

CA SiteMinder. Federation Manager Guide: Legacy Federation. r12.5

AN IPSWITCH WHITEPAPER. The Definitive Guide to Secure FTP

Introduction of the Identity Assurance Framework. Defining the framework and its goals

Technical Trust Policy

Cryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Scan Report Executive Summary

SAP Single Sign-On 2.0 Overview Presentation

Canadian Access Federation: Trust Assertion Document (TAD)

CIP Security Pull Model from the Implementation Standpoint

Canadian Access Federation: Trust Assertion Document (TAD)

Federal Information Processing Standard (FIPS) What is it? Why should you care?

E-Authentication Handbook for Federal Government Agencies

SELF SERVICE INTERFACE CODE OF CONNECTION

Managing Certificates

KEY DISTRIBUTION AND USER AUTHENTICATION

Ten Risks of PKI : What You re not Being Told about Public Key Infrastructure By Carl Ellison and Bruce Schneier

CA SiteMinder Federation

April Understanding Federated Single Sign-On (SSO) Process

Configuring SSL CHAPTER

Scan Report Executive Summary. Part 2. Component Compliance Summary Component (IP Address, domain, etc.):

RealMe. SAML v2.0 Messaging Introduction. Richard Bergquist Datacom Systems (Wellington) Ltd. Date: 15 November 2012

Integration Guide. PingFederate SAML Integration Guide (SP-Initiated Workflow)

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

Warm Up to Identity Protocol Soup

Axway Validation Authority Suite

Interagency Advisory Board Meeting Agenda, July 28, 2010

802.1x Port Based Authentication

INFORMATION SUPPLEMENT. Use of SSL/Early TLS for POS POI Terminal Connections. Date: June 2018 Author: PCI Security Standards Council

TECHNICAL GUIDE SSO SAML Azure AD

1. Federation Participant Information DRAFT

Digital Certificates Demystified

DDS Identity Federation Service

Configuring SSL. SSL Overview CHAPTER

eidas Interoperability Architecture Version November 2015

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD)

Configuring SSL. SSL Overview CHAPTER

Federal Identity, Credentialing, and Access Management. OpenID 2.0 Profile. Version Release Candidate

The SafeNet Security System Version 3 Overview

ArcGIS Enterprise Security: An Introduction. Randall Williams Esri PSIRT

CA CloudMinder. SSO Partnership Federation Guide 1.51

Canadian Access Federation: Trust Assertion Document (TAD)

PKI and FICAM Overview and Outlook

TECHNICAL GUIDE SSO SAML. At 360Learning, we don t make promises about technical solutions, we make commitments.

Canadian Access Federation: Trust Assertion Document (TAD)

INTEGRATING OKTA: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

National Identity Exchange Federation. Certificate Policy. Version 1.1

Oracle Utilities Opower Solution Extension Partner SSO

Configuring Claims-based Authentication for Microsoft Dynamics CRM Server. Last updated: May 2015

Udemy for Business SSO. Single Sign-On (SSO) capability for the UFB portal

Canadian Access Federation: Trust Assertion Document (TAD)

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

ArcGIS Server and Portal for ArcGIS An Introduction to Security

DirectTrust Governmental Trust Anchor Bundle Standard Operating Procedure

Canadian Access Federation: Trust Assertion Document (TAD)

University of Cincinnati Federated Identity Strategy

Cisco ISE Features. Cisco Identity Services Engine Administrator Guide, Release 1.4 1

Interagency Advisory Board Meeting Agenda, Wednesday, February 27, 2013

All about SAML End-to-end Tableau and OKTA integration

National Identity Exchange Federation. Terminology Reference. Version 1.0

Measuring Authentication: NIST and Vectors of Trust

Using Your Own Authentication System with ArcGIS Online. Cameron Kroeker and Gary Lee

BlackVault Hardware Security Platform SECURE TRUSTED INTUITIVE. Cryptographic Appliances with Integrated Level 3+ Hardware Security Module

Unified Communications Manager Version 10.5 SAML SSO Configuration Example

TRUST IDENTITY. Trusted Relationships for Access Management: AND. The InCommon Model

FIPS Management. FIPS Management Overview. Configuration Changes in FIPS Mode

Cryptography and Network Security

SWAMID Identity Assurance Level 2 Profile

October 14, SAML 2 Quick Start Guide

Google Cloud Platform: Customer Responsibility Matrix. April 2017

CERTIFICATE POLICY CIGNA PKI Certificates

Single Sign-On (SSO)Technical Specification

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Transcription:

Using Digital Certificates to Establish Federated Trust chris.brown@enspier.com U.S. E-Authentication Interoperability Lab Engineer

Agenda U.S. Federal E-Authentication Background Current State of PKI in E-Authentication Future of PKI in E-Authentication Conclusion

E-Authentication Background What is E-Authentication? Federal documents that support E- Authentication Protocol Background E-Authentication Interoperability Lab

What is E-Authentication? Trusted and secure standards-based authentication architecture Focuses on meeting the authentication business needs of the U.S. E-Government initiatives Based on U.S. Government documents M- 04-04 and SP800-63

M-04-04 Defines four assurance levels: Level 1: Little or no confidence in the asserted identity s validity Level 2: Some confidence in the asserted identity s validity Level 3: High confidence in the asserted identity s validity Level 4: Very high confidence in the asserted identity s validity

M-04-04 Risk Assessment Risk based on impact categories

Special Publication 800-63 Provides technical guidance to U.S. agencies. Defines what authentication mechanisms can be used for each assurance level.

Special Publication 800-63 Level one and two assurance levels: Generally password/pin based Level one requires protection of the of the credential, but does not require identity proofing Level three and four assurance levels: Typically cryptographic based authentication (X.509 certificates) Level four assurance level must be a hard token (e.g. smartcard)

E-Authentication Background 31 operational applications. Trust is the key: Applications must trust Identity Providers Identity Providers must trust applications Privacy must be maintained

Protocol Background Adopted the Browser Artifact Profile of the SAML 1.0 protocol E-Authentication has it s own nomenclature: Relying Party = Service Provider Credential Service = Identity Provider

Protocol Background Mutually authenticated TLS chosen to secure communications between the service provider and identity provider Service providers can not interoperate with an identity provider of a lower assurance level Three separate certificate authorities were established by the U.S. Government

E-Authentication Interoperability Lab Experts in the federated identity technology The lab works with COTS Identity and Access Management software products that are used to perform identity federation Consult with Federal agencies who are implementing identity federation with E-Authentication. The E-Authentication interoperability laboratory is the only known facility in the world that provides these services.

Agenda U.S. Federal E-Authentication Background Current State of PKI in E-Authentication Future of PKI in E-Authentication Conclusion

Current State of PKI in E-Authentication PKI Credentials are used for authentication between service providers and identity providers Mutual TLS presents hurdles Path validation engines are not robust PKI Credentials are used as the basis of certificate based authentication of end users at E-Authentication level 3 and 4.

Mutual TLS Overview Service Provider Identity Provider 1. Client Hello 2. Server Hello 3. Certificate 4. Certificate Request 7. Certificate 14. Encrypted Data 14. Encrypted Data

PKI Issues PKI is not a well known subject among engineers Asymmetric/Symmetric cryptography Private Keys Passwords

PKI Issues Web servers have differences in implementation of TLS Configuration not intuitive Implementations are buggy Troubleshooting is hard

TLS Anecdote #1 Certificate Formatting As an IdP, one product would deny all client (service provider) certificates. not signing certificate written to IdP log file Lab determined that all certificates with the id-kpclientauth (client authentication) bit set in the extended key usage extension were rejected by the IdP. Extension bit is allowed by TLS and the EGCA profile Trouble ticket opened/patch issued

TLS Anecdote #2 Cipher Suites Service Provider Identity Provider 1. Client Hello 2. Server Hello 3. Certificate 7. Certificate Service provider presents a list list of of cipher suites that that it it will will accept. 4. Certificate Request 14. Encrypted Data 14. Encrypted Data

TLS Anecdote #2 Cipher Suites Weak cipher suites are sent from the SP to the IdP (MD5withRC4) IdP web servers often pick the weak cipher Only FIPS-approved algorithms should be used in E- Authentication transactions No SP products can be configured to send approved cipher suites IdP web servers should be configured to accept only FIPS approved algorithms or end the negotiation

TLS Anecdote #3 Algorithm Mismatch Service Provider 1. Client Hello Connection between SP SP and and IdP IdP was was closed mid-stream during transmission of of the the identity assertion. Identity Provider 2. Server Hello 3. Certificate 4. Certificate Request 7. Certificate 14. Encrypted Data 14. Encrypted Data

TLS Anecdote #3 Algorithm Mismatch During testing, an E-Authentication IdP used a toolkit that was not tested by the Interoperability Lab. Lab used an open source tool that decrypted TLS traffic to debug. SP presented Cipher Block Chaining based cipher suites that had vulnerabilities. SP software was not updated to address vulnerabilities

TLS Hint List Service Provider Identity Provider 1. Client Hello List List of of CA CA names or or a hint list list is is sent sent from the the IdP IdP to to the the SP. SP. 2. Server Hello 3. Certificate 4. Certificate Request 7. Certificate 14. Encrypted Data 14. Encrypted Data

TLS Hint List Requires the IdP to import the correct CA certificate into their trust store. Often, the wrong certificate is imported.

Mutually Authenticated TLS Conclusion Mutually authenticated interoperability problems are not uncommon and not straightforward to troubleshoot Patches from vendors require recertification. Time and money consuming issue for all members of the E-Authentication

Certificate Revocation Certificate revocation list checking feature is lacking in many SAML 1.0 aware products SPs should check CRLs in case IdP keys become compromised SP/IdP connections are managed in a manual way

Certificate Revocation U.S. agencies with strict security requirements have written their own CRL checking software Two approaches to CRL checking: LDAP directory AIA extension Products are now tested for CRL checking functionality

FIPS Requirement U.S. Government agencies are restricted by Federal Information Processing Standards publication 140-2 (Security Requirements for Cryptographic Modules). Generated keys must be FIPS 140-2 compliant. FIPS approved modules are often expensive for a federal agency. Open source toolkits exist (OpenSSL, NSS, Crypto++) but require programming.

E-Authentication PKI Testing Approach SAML products and assertion based identity providers and service providers are tested to determine if they implement the proper mechanisms to assure privacy and trust. Service Providers are tested against three different types of SAML assertion responders. Friendly error must be captured Identity Providers are tested against three different types of Service Provider client certificates. Requirements are easier to meet. CRL checking is configurable by the web/application server

E-Authentication PKI Testing Approach Level two service providers are tested that they don t accept assertions from level one identity providers. All identity providers are tested that they do not issue assertions over a non mutual TLS channel.

Agenda U.S. Federal E-Authentication Background Current State of PKI in E-Authentication Future of PKI in E-Authentication Conclusion

PKI Enhancements to the E-Authentication Adopted Scheme SAML 2.0 requests will be signed. SAML 2.0 responses will be signed and encrypted. Application layer security preferred Removes reliance on web server cryptographic configuration

PKI Enhancements to the E-Authentication Adopted Scheme Mutually authenticated TLS only provides endpoint to endpoint security assertions in plain text in log Web services forward messages to other services IdP could request attribute at SP1 on behalf of SP2. User s nameidentifier at SP2 is unknown by SP1 because it is encrypted by the IdP.

PKI Enhancements to the E-Authentication Adopted Scheme SAML Vendor Wish list Pluggable path validation and discovery engine Engines are capable of discovering paths through complex bridge environments. CRL checking Certificate policy processing Eliminates the need for separate IdP certificate authorities.

PKI Enhancements to the E-Authentication Adopted Scheme web-of-trust is another proposed solution to trust between members of E- Authentication No extensive path processing necessary CRL problem must be solved

X.509 Based Authentication and User Attributes Service Providers need more user information access control activation PKI credential accepting service providers must take advantage of the already existing SAML infrastructure in the E-Auth federation.

SAML Attribute Authority Private Extension Extension contains a URL pointing the service provider to the IdP metadata.

SAML Attribute Authority Private Extension Mutually authenticated TLS Service Provider ` Web Browser Identity Provider

SAML Attribute Authority Private Extension Metadata Fetch Service Provider ` Web Browser Identity Provider

SAML Attribute Authority Private Extension <AttributeAuthorityDescriptor> is located within the metadata User can sign the <AttributeQuery> using browser plug-in. User intent is implied User can also sign a <AuthzDecisionQuery>

Dynamic Attribute Exchange Profile Authentication using X.509 certificate ` Service Provider Web Browser Attribute Authority

Dynamic Attribute Exchange Profile Web Browser ` Service Provider Attribute Request/Response Attribute Authority

Dynamic Attribute Exchange Profile End user certificates would not have to be modified with a static extension. Third party client side code is not necessary to sign an <AttributeQuery> Attribute authority has to be discovered

Dynamic Exchange Profile -- IdP Discovery Profile X.509 Certificate Authentication ` Service Provider Web Browser Common Cookie Domain Server Attribute Authority

Dynamic Attribute Exchange Profile -- IdP Discovery Profile SP redirects browser to CCD Server ` Service Provider Web Browser Common Cookie Domain Server Attribute Authority

Dynamic Attribute Exchange Profile -- IdP Discovery Profile CCD server redirects browser to the Attribute Authority ` Service Provider Web Browser Common Cookie Domain Server Attribute Authority

Dynamic Attribute Exchange Profile -- IdP Discovery Profile Attribute Authority redirects browser to SP ` Service Provider Web Browser Common Cookie Domain Server Attribute Authority

Dynamic Attribute Exchange Profile Service provider makes educated guess of the appropriate Attribute Authority Issuer name mapping

Dynamic Attribute Exchange Profile Educated Guess X.509 Certificate Authentication ` Service Provider Web Browser Attribute Authority

Dynamic Attribute Exchange Profile Educated Guess Attribute Request/Response ` Service Provider Web Browser Attribute Authority

Agenda U.S. Federal E-Authentication Background Current State of PKI in E-Authentication Future of PKI in E-Authentication Conclusion

Conclusion Current PKI issues can be overcome with SAML 2.0 SAML 2.0 provides other benefits X.509 credential based SPs can use SAML infrastructure

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback